- Advisory ID: DRUPAL-SA-2006-014
- Project: Recipe 4.6
- Date: 2006-Aug-08
- Security risk: less critical
- Exploitable from: remote
- Vulnerability: Cross site scripting
Description
It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output from the contributed Recipe module. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia.
This is a revision to DRUPAL-SA-2006-013, which was sent due to the mistaken belief that the 4.6 branch of Recipe was fixed. As it later became known, this was not the case. The Drupal security team has taken immediate steps to repair the vulnerability in the 4.6 version and publish this revised advisory.
Versions affected
Please check the CVS $Id$ field in the file recipe.module to determine whether the version you are running is vulnerable.
Versions for Drupal 4.6 older than the following are vulnerable:
// $Id: recipe.module,v 1.39.2.3 2006/08/08 21:38:40 heine Exp $
Drupal core is not affected. If you do not use the Recipe module, there is nothing you need to do.
Solution
Install the updated 4.6 version of Recipe.
See also Recipe's project page and other releases.
Reported by
spatz4000
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.
